Regarding the 'whistleblowing' directive: are whistleblowers protected in the workplace context?

whistleblowing directive

After a certain historical development in the field of regulatory compliance and criminal liability of legal entities as a consequence of acts or omissions carried out within the organization, the European Union approved in October 2019 the Directive (EU) 2019/1937 on the protection of persons who report infringements of Union law, popularly known as “Whistleblowing Directive”.

Although it is true that the mandatory transposition of said directive had a deadline of December 17, 2021, it has not yet become effective.

It was in March when the Government published the Preliminary draft law regulating the protection of people who report regulatory infractions and the fight against corruption and September 13, the date on which the council of ministers approved a Bill definitive: Law regulating the protection of people who report regulatory violations and the fight against corruption subject, however, to parliamentary processing.

Additionally, the Bill provides an implementation period of three months from its entry into force for larger companies and another period until December 1, 2023 for private sector companies with fewer than 249 workers.

“Whistleblowing Directive”: minimum standards to protect whistleblowers

Like any directive, the “Whistleblowing Directive” establishes certain Common minimum standards for the protection of whistleblowers (from the public or private sector) who in a work context (whether current, extinct or even pre-contractual) report violations of the Union law, subject to subsequent national development by the different member states of the European Union. The directive extends the aforementioned protection to facilitators, third parties and legal entities linked to the complainant.

From the content of the “Whistleblowing Directive”, which, in turn, has served as a substantial reference for the drafting of the draft and definitive project, currently being processed in parliament, highlights:

1. Delimitation of the Infractions subject to its content.
2. Non-application of the Directive on the protection of classified information, professional secrecy, judicial deliberations and rules of criminal procedure and social representation.
3. Protection against complaints through internal, external channels or public disclosure.
4. Mandatory internal reporting channels (including private sector legal entities with 50 or more workers and all public sector legal entities with possible exceptions for municipalities with less than 10,000 inhabitants or less than 50 workers).
5. Possibility of channels managed individually or departmentally with delegation and identification of the person in charge of management.
6. The processing of personal data will be carried out in accordance with the Regulation (EU) 2016/679 and Directive (EU) 2016/680. The exchange or transmission of information will be subject to regulation (EU) 2018/1725.
7. Conditions for registering complaints.
8. Prohibition of retaliation and support and protection measures.
9. Possible sanctions and compensation for damages.

In short, the “Whistleblowing Directive” is a true declaration of intent whose application and practical effectiveness we will see soon. From EIP We will periodically launch short articles that are the subject of this content to expand on such interesting and necessary matter in defense of the rights and interests of the informants.

If you are interested in the world of Compliance and data protection, you will be interested in our master's degree with a job guarantee in Compliance & Data Protection Directorate. You will be able to access six different qualifications/certifications and you will be able to work as Compliance Director and Data Protection Director in important companies in the sector.

In our Master in Compliance & Data Protection Management, with the support of a teaching faculty made up of active Data Protection and Compliance Directors, legal professionals, judges, company executives and experts, you will become a highly specialized and autonomous professional, prepared to assume the functions of Compliance Director and Data Protection Director, with skills and knowledge in the following areas:

• Personal data protection.
• Claim processes before the AEPD.
• Design and implementation of Compliance Management Systems.
• Audit of information systems and data protection.
• Compliance systems management audit.
• Use of software management specific: GlobalSUITE.